This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP port range filter

1

Hello,

How might I write a display filter for a tcp port range?

I'm wanting to filter two sets of ranges. TCP/8600-8619 and TCP/8400-8402

thanks,

J

asked 10 Jul '13, 06:43

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%

2 Answers:
active answersoldest answersnewest answerspopular answers
0

Please try this:

(tcp.dstport >= 8600 and tcp.dstport <= 8619) or (tcp.dstport >= 8400 and tcp.dstport <= 8402)

HINT: That will only show traffic in one direction, which is from client --> server. However, that should be enough the figure out the tcp stream number, and then filter on that in a second step, possibly with tshark.

tshark -nr input.pcap -R "(tcp.dstport >= 8400 and tcp.dstport <= 8402) or (tcp.dstport >= 8400 and tcp.dstport <= 8402)" -T fields -e tcp.stream | sort

Then use that output and filter on tcp.stream

Regards
Kurt

permanent link

answered 10 Jul '13, 07:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Jul '13, 07:20

Thanks for the extra Tshark component, very nice.

J

(10 Jul '13, 07:57) JTech_17
0

With newer versions of libpcap (0.9.1 and later):

(tcp portrange 8600-8619) or (tcp portrange 8400-8402)

You can break it down further if you care about source or destination ports. As an example:

(tcp dst portrange 8600-8619) or (tcp src portrange 8400-8402)

More information can be found on the manpages

permanent link

answered 25 Nov '15, 11:49

SwDevMan81's gravatar image

SwDevMan81
363612
accept rate: 50%

edited 25 Nov '15, 11:54

That's a capture filter, not a display filter; it's useful, but it doesn't solve this particular problem.

(26 Nov '15, 13:44) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×752
×349
×9

question asked: 10 Jul '13, 06:43

question was seen: 45,815 times

last updated: 26 Nov '15, 13:44

Related questions

Filter to detect start of TCP connections

Graph not showing captured data?

TCP flags capture filter

Counting incoming TCP open & http GET requests to a web server

Find Delayed FIN packets in a large capture

Why Wireshark display filter does not show http packets?

Is there a filter for a Full TCP sequence ?

how to calculate service response time for SAML ?

How to create a filter to remove TCP sessions with no payload

What should I see in capture when there is TCP error: Could not connect to the server?

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A